Stopping the Sprawl - Making Identities an Asset to the Business

How often have you signed up for a new cloud service, perhaps the latest remote collaboration tool or productivity application in the past two years? A 2021 survey by the Identity Security Alliance reported that 83% of respondents had increased the number of identities within their organization in the past year. The number of identities relating to the business is expanding, and as the IT estate grows, the more unwieldy it becomes.

This identity sprawl inevitably hampers the ability of organizations to manage, audit and control digital identities and what they can access across the enterprise. Identity sprawl is not a new problem, but the scale of the sprawl has increased substantially due to the transition to the hybrid workplace and the broad adoption of cloud services. Most organizations have identity data spread out across a disjointed set of repositories, including active directory (AD), lightweight directory access protocol (LDAP) directories, HR systems, application databases and cloud applications, platforms and services. There is usually no underlying structure tying this hodgepodge together, making it all but impossible to build accurate and complete user-profiles and ultimately to centrally determine and administer what individuals can and can’t access. 

For example, is John Smith in active directory the same individual as JSmith in Salesforce? What other accounts can we link to this person, and what organizational resources and applications can they collectively access? Each unanswerable question represents a dangerous blind spot in the view of the company’s security. Heavily siloed systems are a gift to threat actors, providing them with more gaps to exploit and a greater chance of staying undetected while perpetrating a security breach.

The Struggle to Connect the Dots

The accessibility of SaaS has exacerbated the problem, as users can sign up for new services or platforms in a matter of minutes. Unfortunately, this can often occur outside the supervision of your IT team and without following security best practices or policies, which can lead to a growing collection of shadow IT assets.

For example, an employee working remotely might decide to bypass the company’s file-sharing system and sign up for an external service like Dropbox. Because they were late for a meeting, they re-used their existing Sharepoint password and did not enable two-factor authentication. Now a new digital identity has been created that is unknown to your security and IT team. In this case, if an attacker breaches the external service using a credential stuffing attack, they can access other enterprise resources and applications. 

To rein in identity sprawl, organizations need to create global profiles of all their users and their associated entitlements and attributes across all sources of identity data. In practice, this requires significant identity integration work, including aggregation of identity data, correlation and linking of accounts, data transformation and normalization. The challenge is that all of this identity data is available in different formats, schemas and with varying protocols and APIs for accessing that data. Once you have built this global profile, you will need to synchronize changes between this central image and the identity silos that compose it. These integration tasks typically require custom development or professional services that can stretch the budget and timeline of your IT and security projects.

Why an Identity Data Fabric Might Hold the Answer

There is, however, a more recent development that can keep pace with the dynamic nature of today’s digital business – an approach known as an identity data fabric. The idea behind the identity data fabric is to provide a connective layer between consumers of identity (applications, services and other identity solutions that provide access management and governance) and all the silos of identity data. Applications now have one re-usable service that they can connect to for unified and normalized identity data, on-premise or in the cloud, using the format and protocol of their choice. As a result, applications can effectively delegate the complex identity integration work to the fabric and focus on the core capabilities they were designed for.

Gartner listed data fabrics as a top technology trend for 2022. This same concept, adapted for the identity management space, can vastly simplify how digital identities are managed and secured, enabling organizations to control the sprawl without the cost and complexity of custom integration projects.

This greatly improves an organization’s ability to reduce common security risks such as users with excess privileges or accounts from former employees that have erroneously remained active. It also allows organizations to future proof their identity management, easily scaling up and accommodating any new elements as the company continues to grow and progress in its digital transformation journey.

What’s Hot on Infosecurity Magazine?